Lagom: Add a fuzzer for LZMA decompression

Author: https://github.com/timschumi Commit: https://github.com/SerenityOS/serenity/commit/123e9fa5d0 Pull-request: https://github.com/SerenityOS/serenity/pull/17744 Reviewed-by: https://github.com/ADKaster Reviewed-by: https://github.com/IdanHo ✅ Reviewed-by: https://github.com/gmta Reviewed-by: https://github.com/kleinesfilmroellchen ✅
2025-04-22 04:25:13 +00:00 · 2023-03-07 18:36:36 +01:00 · 2023-03-07 18:36:36 +01:00 · 123e9fa5d0 · 2024-07-17 03:27:40 +09:00
commit 123e9fa5d0
parent 858c44ae1b
2 changed files with 37 additions and 0 deletions
--- a/Meta/Lagom/Fuzzers/CMakeLists.txt
+++ b/Meta/Lagom/Fuzzers/CMakeLists.txt
@ -35,6 +35,7 @@ add_simple_fuzzer(FuzzGzipDecompression LibCompress)
 add_simple_fuzzer(FuzzICCProfile LibGfx)
 add_simple_fuzzer(FuzzICOLoader LibGfx)
 add_simple_fuzzer(FuzzJPEGLoader LibGfx)
+add_simple_fuzzer(FuzzLzmaDecompression LibArchive LibCompress)
 add_simple_fuzzer(FuzzMatroskaReader LibVideo)
 add_simple_fuzzer(FuzzMD5 LibCrypto)
 add_simple_fuzzer(FuzzMP3Loader LibAudio)
--- a/Meta/Lagom/Fuzzers/FuzzLzmaDecompression.cpp
+++ b/Meta/Lagom/Fuzzers/FuzzLzmaDecompression.cpp
@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2023, Tim Schumacher <timschumi@gmx.de>.
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <AK/MemoryStream.h>
+#include <LibCompress/Lzma.h>
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
+{
+    // LibFuzzer has a default memory limit of 2048 MB, so limit the dictionary size to a
+    // reasonable number to make sure that we don't actually run into it by allocating a
+    // huge dictionary. The chosen value is double of what the largest dictionary in the
+    // specifications test files is, so it should be more than enough for fuzzing everything
+    // that we would want to fuzz.
+    constexpr size_t largest_reasonable_dictionary_size = 16 * MiB;
+
+    if (size >= sizeof(Compress::LzmaHeader)) {
+        auto const* header = reinterpret_cast<Compress::LzmaHeader const*>(data);
+        if (header->dictionary_size() > largest_reasonable_dictionary_size)
+            return -1;
+    }
+
+    auto stream = make<FixedMemoryStream>(ReadonlyBytes { data, size });
+    auto decompressor_or_error = Compress::LzmaDecompressor::create_from_container(move(stream));
+    if (decompressor_or_error.is_error())
+        return 0;
+    auto decompressor = decompressor_or_error.release_value();
+    while (!decompressor->is_eof()) {
+        auto maybe_error = decompressor->discard(4096);
+        if (maybe_error.is_error())
+            break;
+    }
+    return 0;
+}